Pre-Installed Android Malware Raises Security Risks in Supply Chain

The Trojan application collects information and can take a variety of privacy-invading actions. These include leaking the phone's location, "listening to and recording telephone calls or conversations, making purchases, bank fraud or sending premium SMS messages," G DATA stated.
The result? Potentially stolen data and a large phone bill for the user; additional profits for the operator behind the malicious code.
G DATA recognized the first infections in Android mobile phones early last year. Since then, the number of incidents has increased, Hayter said.
While the problems mainly affect China, a small number of phones have appeared in Europe. Some compromised devices have been sold online through eBay and other auction sites, Hayter said.

Businesses need to worry about pre-loaded malware and potentially unwanted programs (PUPs) because such software can bypass the security checks on the phone. For consumers, the issue poses privacy problems. The operator controlling the malware can make additional cash by forcing advertising to show up on the phone and selling information about the user.

While security technology can detect malware on a phone, some surveillance programs can sneak by such defenses.
Earlier this year, documents leaked by the offensive-security firm Hacking Team revealed that the company had extensive tools for compromising mobile devices with programs designed to collect information on the user and their communications. While security firms had some ability to detect the programs, Hacking Team found ways to evade detection.
For many users, that means the first line of defense is to verify the security of the retailers from whom you or your company buys mobile technology, says Hayter. A trusted and vetted supply chain will not guarantee security, but it at least assures users and companies that the provider takes cyber-security seriously.
"Go through a trusted provider, not the street corner," Hayter said.
Issues, such as bloatware, may be more minor, but still represent a failure to secure the supply chain, Veracode's Titonis said. By installing bloatware on their products, the manufacturer shows they are willing to work against their customers' interest to turn a more significant profit by trading consumers' privacy for a little more revenue.
Such tactics leave consumers vulnerable to third-party applications that the device manufacturer has likely not vetted very well.
"I don't know how many people ask me, after they buy a phone, how to get rid of bloatware," Titonis said. "And that's the stuff the consumer can see, but there is a lot more that they can't see."
With an estimated 50 billion devices connected to the Internet by 2020, making sure that those devices are secured from the manufacturer to the consumer is important. Equally important is making sure that manufacturers are not putting distrusted software on the devices, risking consumers' privacy.